Patch Tuesday
Encyclopedia
Patch Tuesday is usually the second Tuesday of each month, on which Microsoft
releases security patches.
Starting with Windows 98
, Microsoft included a "Windows Update
" system that would check for patches
to Windows
and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates to other Microsoft products, such as Office
, Visual Studio
and SQL Server
.
The Patch Tuesday begins at 17:00 or 18:00 UTC
. Sometimes there is an extraordinary Patch Tuesday, 14 days after the regular Patch Tuesday. There are also updates which are published daily (e.g. definitions for Windows Defender and Microsoft Security Essentials) or irregularly.
Seemingly Microsoft has a pattern of releasing a larger number of updates in even-numbered months, and fewer in odd-numbered months.
In order to reduce the costs related to the deployment of patches, Microsoft introduced "Patch Tuesday" in October 2003. In this system, security patches are accumulated over a period of one month and then dispatched all at once on the second Tuesday of the month, an event for which system administrators may prepare. Some speculate that Tuesday was selected so that post-patch problems could be discovered and resolved before the weekend, but, certainly, not every patch-induced problem may be cured in that time. The non-Microsoft terms for the following day are "Exploit Wednesday" and "Day Zero," when attacks may be launched against the newly announced vulnerabilities.
There have been cases where either vulnerability information or actual worms were released to the public a day or two before patch Tuesday. This did not leave Microsoft enough time to incorporate a fix for said vulnerabilities, and thus, theoretically, left a one month window for attackers to exploit the hole, before a patch is available to formally fix it. Microsoft issues critical patches as they become ready, however, so this is not generally a problem.
Also, starting to abuse an unpatched exploitation entry point on this day gives malicious code writers the longest period of time before a fix is supplied to users. Malware authors can sit on the vulnerability of a new exploitation entry point until after a given patch Tuesday, knowing that there will be an entire month before Microsoft releases any patch to fix it.
congestion control strategy. As a result, other uses of the Internet may be significantly slowed from machines actively retrieving updates. This can be particularly noticeable in environments where many machines individually retrieve updates over a shared, bandwidth constrained link such as those found in many small to medium sized businesses. To some extent the bandwidth demands of patching a group of computers can be alleviated by deploying Windows Server Update Services
.
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
releases security patches.
Starting with Windows 98
Windows 98
Windows 98 is a graphical operating system by Microsoft. It is the second major release in the Windows 9x line of operating systems. It was released to manufacturing on 15 May 1998 and to retail on 25 June 1998. Windows 98 is the successor to Windows 95. Like its predecessor, it is a hybrid...
, Microsoft included a "Windows Update
Windows Update
Windows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system and its installed components, including Internet Explorer...
" system that would check for patches
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
to Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
and its components, which Microsoft would release intermittently. With the release of Microsoft Update, this system also checks for updates to other Microsoft products, such as Office
Microsoft Office
Microsoft Office is a non-free commercial office suite of inter-related desktop applications, servers and services for the Microsoft Windows and Mac OS X operating systems, introduced by Microsoft in August 1, 1989. Initially a marketing term for a bundled set of applications, the first version of...
, Visual Studio
Microsoft Visual Studio
Microsoft Visual Studio is an integrated development environment from Microsoft. It is used to develop console and graphical user interface applications along with Windows Forms applications, web sites, web applications, and web services in both native code together with managed code for all...
and SQL Server
Microsoft SQL Server
Microsoft SQL Server is a relational database server, developed by Microsoft: It is a software product whose primary function is to store and retrieve data as requested by other software applications, be it those on the same computer or those running on another computer across a network...
.
The Patch Tuesday begins at 17:00 or 18:00 UTC
Coordinated Universal Time
Coordinated Universal Time is the primary time standard by which the world regulates clocks and time. It is one of several closely related successors to Greenwich Mean Time. Computer servers, online services and other entities that rely on having a universally accepted time use UTC for that purpose...
. Sometimes there is an extraordinary Patch Tuesday, 14 days after the regular Patch Tuesday. There are also updates which are published daily (e.g. definitions for Windows Defender and Microsoft Security Essentials) or irregularly.
Seemingly Microsoft has a pattern of releasing a larger number of updates in even-numbered months, and fewer in odd-numbered months.
Patch-deployment costs
Earlier versions of the Windows Update system suffered from two problems. The first was that less-experienced users were often unaware of Windows Update and did not install it; Microsoft's solution was the "Automatic Update," which notified each user that an update was available for their system. The second problem was that customers, such as corporate users, with many copies of Windows not only had to update every Windows deployment in the company but also uninstall patches issued by Microsoft that broke existing functionality.In order to reduce the costs related to the deployment of patches, Microsoft introduced "Patch Tuesday" in October 2003. In this system, security patches are accumulated over a period of one month and then dispatched all at once on the second Tuesday of the month, an event for which system administrators may prepare. Some speculate that Tuesday was selected so that post-patch problems could be discovered and resolved before the weekend, but, certainly, not every patch-induced problem may be cured in that time. The non-Microsoft terms for the following day are "Exploit Wednesday" and "Day Zero," when attacks may be launched against the newly announced vulnerabilities.
Security implications
The most obvious security implication is that security problems that have a solution are withheld from the public for a period of up to a month. This policy is adequate when the vulnerability is not widely known or extremely obscure, but that is not always the case.There have been cases where either vulnerability information or actual worms were released to the public a day or two before patch Tuesday. This did not leave Microsoft enough time to incorporate a fix for said vulnerabilities, and thus, theoretically, left a one month window for attackers to exploit the hole, before a patch is available to formally fix it. Microsoft issues critical patches as they become ready, however, so this is not generally a problem.
Exploit Wednesday
Many exploitation events are seen shortly after the release of a patch. By analyzing the patch, exploitation developers can more easily figure out how to exploit the underlying vulnerability, and attack systems that have not been patched. Therefore the term "Exploit Wednesday" was coined.Also, starting to abuse an unpatched exploitation entry point on this day gives malicious code writers the longest period of time before a fix is supplied to users. Malware authors can sit on the vulnerability of a new exploitation entry point until after a given patch Tuesday, knowing that there will be an entire month before Microsoft releases any patch to fix it.
Bandwidth impact
Microsoft's download servers do not honor the TCP slow-startSlow-start
Slow-start is part of the congestion control strategy used by TCP, the data transmission protocol used by many Internet applications. Slow-start is used in conjunction with other algorithms to avoid sending more data than the network is capable of transmitting, that is, to avoid causing network...
congestion control strategy. As a result, other uses of the Internet may be significantly slowed from machines actively retrieving updates. This can be particularly noticeable in environments where many machines individually retrieve updates over a shared, bandwidth constrained link such as those found in many small to medium sized businesses. To some extent the bandwidth demands of patching a group of computers can be alleviated by deploying Windows Server Update Services
Windows Server Update Services
- External links :* * * – contains many detailed documents on WSUS operation, known issues, and troubleshooting* - German WSUS-Community * - Control installation of WSUS updates from command line...
.
External links
- Microsoft: Bulletins and Advisories (Security Bulletin List and Search)
- Microsoft Support Website
- Bruce Schneier's blog - Example of report about vulnerability found in the wild with timing seemingly coordinated with "Patch Tuesday".
- HD Moore: Exploiting DLL Hijacking Flaws HD Moore's blog - Report on DLL Hijacking vulnerability and exploit that led to many patches on Patch Tuesday in August 2010
- Bruce Schneier's blog - Example of a quick patch response, not due to a security issue but for DRM-related reasons.